After accessing the network provided by the operator, a terminal device carries out locking-onto-network operations to prevent this terminal device from accessing other networks, which is for the purposes of: 1) avoiding accessing fake base stations by the terminal device; some hackers can establish a fake base station by themselves to prevail on the terminal device to access the fake base station, thereby purloining personal information, and even damaging the terminal device; and 2) avoiding accessing the networks provided by the other operators by the terminal device. Nowadays, there is fierce competition in the communication market, and each largest operator adopts various schemes to attract new customers and retain old customers. Wherein the sale mode that terminal devices such as mobile phones/network cards and so on binds with services is one of schemes to attract new customers. In this scheme, the actual selling price of terminal devices such as mobile phones/network cards and so on is lower than the market price, so operators do not wish that the terminal devices are used by subscribers in other operators' networks after the services are finished, but wish that the subscribers would continue to use the services provide by themselves. In order to achieve the aim of retaining old customers, a requirement of adding a function of locking onto network emerges. This function can bind the terminal devices with operators, and thereby the subscribers of the terminal devices are restrained from using the services provided by other operators.
At the same time, operators can also unlock the terminal devices to satisfy various requirements, such as maintenance and repair after sale, and in particular situations, allow users to be unlocked by paying a certain fee and so on.
In order to solve the above technical problem, the present invention puts forward the following technical schemes.
Content of the Invention
The problem to be solved in present invention is to provide a method, system and terminal device for implementing locking a terminal device onto a network to implement locking-onto-network function.
To solve the above problem, the present invention provides a method for implementing locking a terminal device onto a network, and this method comprises a procedure of locking onto the network during accessing the network, namely performing locking-onto-network configuration verification in a network accessing authentication process, and if the locking-onto-network configuration verification is successful, allowing for verification for an authentication certificate, or else refusing the terminal device of access to the network.
Furthermore, the network accessing authentication process refers to a process of the terminal device authenticating an Authentication Authorization Accounting (AAA) server, the locking-onto-network configuration verification refers to comparison of a locking-onto-network character string in an AAA server authentication certificate with a locking-onto-network character string stored in the terminal device, if the locking-onto-network character string in an AAA server authentication certificate is the same with that stored in the terminal device, the locking-onto-network configuration verification is considered to be successful.
Furthermore, the locking-onto-network character string refers to a network name identifier of an operator put in a CN field in a Subject in the authentication certificate.
Furthermore, in the locking-onto-network configuration verification, before performing the comparison of the locking-onto-network character strings, judging whether a locking-onto-network function is enabled according to a locking-onto-network flag bit stored in the terminal device, and if yes, performing the comparison of the locking-onto-network character strings, or else directly performing the authentication certificate verification.
Furthermore, the method further comprises a procedure of unlocking, and this procedure comprises: an Over The Air (OTA) server obtaining unlocking keys stored by an operator server and the terminal device respectively and comparing the unlocking key stored by an operator with that stored by the terminal device; and if the unlocking keys are the same, the OTA server notifying the terminal device to set the locking-onto-network flag bit as disabled locking-onto-network function and clear up the locking-onto-network character string.
Furthermore, the method further comprises a procedure of locking again after accessing the network, and this procedure comprises: an Over The Air (OTA) server calculating an unlocking key of the terminal device, and notifying an operator server and the terminal device to store this unlocking key; the OTA server transmitting the locking-onto-network flag bit and the locking-onto-network character string to the terminal device; and the terminal device storing this locking-onto-network character string and setting the locking-onto-network flag bit as enabled locking-onto-network function.
To solve the above technical problem, the present invention also provides a system for implementing locking a terminal device onto a network, and this system is used for performing locking-onto-network configuration verification in a network accessing authentication process, and allowing for verification for an authentication certificate if the locking-onto-network configuration verification is successful, or else refusing the terminal device of access to the network.
Furthermore, the system includes an Authentication Authorization Accounting (AAA) server and a terminal device, wherein
the AAA server is used for transmitting an authentication certificate to the terminal device, the authentication certificate including a locking-onto-network character string;
the terminal device includes a transceiver module, a locking-onto-network module and an authentication module, wherein,
the transceiver module is used for receiving the authentication certificate;
the locking-onto-network module is used for performing locking-onto-network verification for a locking-onto-network character string in the authentication certificate transmitted by the AAA server and a locking-onto-network character string stored in the terminal device, and enabling the authentication module to perform authentication if the locking-onto-network character string in the authentication certificate transmitted by the AAA server is the same with that stored in the terminal device;
the authentication module is used for verifying the authentication certificate transmitted by the AAA server according to a certificate stored by itself.
Furthermore, the locking-onto-network module is also used for storing a locking-onto-network flag bit; and if the locking-onto-network flag bit denotes that the locking-onto-network function is disabled, the locking network module is also used for directly enabling the authentication module to perform authentication, or else starting verification for the locking-onto-network character string.
Furthermore, the system further includes an Over The Air (OTA) server and an operator server; the OTA server is used for verifying unlocking keys stored by an operator server and the terminal device respectively, and notifying the terminal device to clear up the locking-onto-network character string and to reset the locking-onto-network flag bit to implement an unlocking function; the OTA server is also used for calculating an unlocking key and notifying the operator server and the terminal device to store this unlocking key, and notifying the terminal device to store the locking-onto-network character string and to set the locking-onto-network flag bit to implement a function of locking again after accessing the network; the locking-onto-network module of the terminal device is used for performing storage and update according to notifications of the OTA server.
To solve the above problem, the present invention also provides a terminal device, the terminal device has a locking-onto-network function, the terminal device including a transceiver module, a locking-onto-network module and an authentication module, wherein,
the transceiver module is used for receiving an authentication certificate transmitted by an Authentication Authorization Accounting (AAA) server, and the authentication certificate includes a locking-onto-network character string;
the locking-onto-network module is used for performing locking-onto-network verification for the locking-onto-network character string in the authentication certificate transmitted by the AAA server and a locking-onto-network character string stored in the terminal device, and enabling the authentication module to perform authentication if the locking-onto-network character string in the authentication certificate transmitted by the AAA server is the same with that stored in the terminal device;
the authentication module is used for verifying the authentication certificate transmitted by the AAA server according to a certificate stored by itself.
Furthermore, the locking-onto-network module is also used for storing a locking-onto-network flag bit; and if the locking-onto-network flag bit denotes that the locking-onto-network function is disabled, the locking-onto-network module is also used for directly enabling the authentication module to perform authentication, or else starting verification for the locking-onto-network character string.
Comparing with the prior art, the method, system and terminal device in the present invention adopt the authentication process and require the terminal device and server to uniformly configure a locking-onto-network character string so as to have great security. In addition, the method, system and terminal device in the present invention can implement unlocking and locking again after accessing the network via an air interface management in the OTA way, which has high flexibility and applicability, and can well satisfy the requirements of 4G networks such as the WiMAX network and LTE network and so on.